OPENVPN + Google Authenticator - Plugin auth OK but TLS auth Failed

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
GE33
OpenVpn Newbie
Posts: 2
Joined: Wed Mar 01, 2023 10:14 am

OPENVPN + Google Authenticator - Plugin auth OK but TLS auth Failed

Post by GE33 » Wed Mar 01, 2023 10:33 am

Hi,

i'm trying to configure Google authenticator on my Asus Router OPENVPN server.
everything is ok if i use the OTP as password, but it failed when i activate the "Static-challenge" option.

It's very strange because the authentification plugin status is OK after validating the login/password with pam_unix and the OPT with google-authneticator, but the TLS auth failed

It seams that TLS auth needs for the username/password...

here is the syslog

Syslog
1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: USER: adm
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: parsed static challenge password
Mar 1 11:19:22 vpnserver1[13825]: in openpam_dispatch(): calling pam_sm_authenticate() in /usr/lib/pam_unix.so
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='Login:' style=2
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: name match found, query/match-string ['Login:', 'login'] = 'USERNAME'
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='Password:' style=1
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password:', 'password'] = 'PASSWORD'
Mar 1 11:19:22 vpnserver1[13825]: in openpam_dispatch(): /usr/lib/pam_unix.so: pam_sm_authenticate(): success
Mar 1 11:19:22 vpnserver1[13825]: in openpam_dispatch(): calling pam_sm_authenticate() in /jffs/addons/google_authenticator/lib/pam_google_authenticator.so
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: start of google_authenticator for "adm"
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: Secret file permissions are 0400. Allowed permissions are 0400
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: "/jffs/.google_authenticator" read
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: shared secret in "/jffs/.google_authenticator" processed
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: google_authenticator for host "(null)"
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='pin' style=1
Mar 1 11:19:22 vpnserver1[13825]: PLUGIN AUTH-PAM: BACKGROUND: name match found, query/match-string ['pin', 'pin'] = 'OTP'
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: no scratch code used from "/jffs/.google_authenticator"
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: Accepted google_authenticator for adm
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: "/jffs/.google_authenticator" written
Mar 1 11:19:22 openvpn(pam_google_auth)[13825]: debug: end of google_authenticator for "adm". Result: success
Mar 1 11:19:22 vpnserver1[13825]: in openpam_dispatch(): /jffs/addons/google_authenticator/lib/pam_google_authenticator.so: pam_sm_authenticate(): success
Mar 1 11:19:22 ovpn-server1[13821]: 192.168.2.254:64480 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 1 11:19:22 ovpn-server1[13821]: 192.168.2.254:64480 TLS Auth Error: Auth Username/Password verification failed for peer



as you see pam_unix and google_authenticator are both succes, the openvpn-plugin-auth-pam is Ok (status=0) but the TLS auth is failed

and the configuration files

pam.d openvpn file

account required pam_unix.so
auth required pam_unix.so debug
auth required /jffs/addons/google_authenticator/lib/pam_google_authenticator.so secret='/jffs/.google_authenticator' user=adm authtok_prompt=pin debug



Server Config

daemon ovpn-server1
topology subnet
server XXX.XXX.XXX.XXX 255.255.255.0
proto udp6
multihome
port XXXXX
dev tun21
txqueuelen 1000
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
data-ciphers-fallback AES-128-CBC
keepalive 15 60
verb 5
push "route XXX.XXX.XXX.XXX 255.255.255.0 vpn_gateway 500"
duplicate-cn
push "redirect-gateway def1"
plugin /usr/lib/openvpn-plugin-auth-pam.so openvpn
ca ca.crt
dh dh.pem
cert server.crt
key server.key
script-security 2
up 'ovpn-up 1 server'
down 'ovpn-down 1 server'
status-version 2
status status 5

# Custom Configuration
plugin /usr/lib/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"
setenv verb 9a



Client Config

client
dev tun
proto udp
remote XXX.XXX.XXX.XXX YYYY
resolv-retry infinite
static-challenge "Enter 2FA code:" 1
nobind
float
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC
keepalive 15 60
auth-user-pass
remote-cert-tls server



I'm using OPENVPN 2.5.7

Any advice ?

Thanks for your help

GE33
OpenVpn Newbie
Posts: 2
Joined: Wed Mar 01, 2023 10:14 am

Re: OPENVPN + Google Authenticator - Plugin auth OK but TLS auth Failed

Post by GE33 » Fri Mar 03, 2023 10:32 pm

Problem solved :D

ian.pohl
OpenVpn Newbie
Posts: 1
Joined: Tue Mar 14, 2023 2:28 am

Re: OPENVPN + Google Authenticator - Plugin auth OK but TLS auth Failed

Post by ian.pohl » Tue Mar 14, 2023 3:46 am

What was the problem?

I have the same issue.

Post Reply